Thursday, September 18, 2008

I used to know what you watched, on YouTube

In doing some crossdomain.xml Flash research I noticed that YouTube’s policy file trusted *.google.com. They quickly removed it after I privately disclosed the following security flaw to Google.

My idea was if an attacker could upload an arbitrary Flash movie (SWF) anywhere on the google.com domain they could leverage that trust. So if an authenticated YouTube user visited an attacker-controlled page anywhere on the Web, the attacker could SRC in the google.com hosted SWF, and use it compromise the victims YouTube username, email address, first/last name, viewing history, and even comment or post/delete videos.

Billy Rios blogged in the past about being able to upload arbitrary files to google.com, but the only place I could locate that allowed SWFs when I checked was Gmail. Maybe others?

Anyway, I emailed a SWF attachment to a Gmail account and located the download URL. Perfect, but the next problem was even with the correct URL the victim is not authorized to view the file unless they are authenticated on THAT particular Gmail account. This is where the login-CSRF / identity misbinding trick the Stanford guys wrote up came in quite handy.

Here’s the step by step.

1) Attacker emails a special SWF to a Gmail account they control and locates the attachment download URL on google.com.2) Logged-in YouTube user visits an attacker controlled page3) Attacker forces their victim to authenticate to the attackers Gmail account (identify misbinding / CSRF).4) Attacker embeds SWF from the Gmail account into the web page5) Attacker now has read write access on YouTube.com as the victim's account.

Video:

Clever eh? :) I’m sure the Google/YouTube aren’t the only places where this particular scenario is still possible.

Many thanks to Rich Cannings and Chris Evans from the Google Security team who sheparded this along!

11 comments:

Been there done that, got the tshirt will be presenting lots of gmail 0day at Power of Community :p

Speaking of the login trick, why do I never get any credit for anything: http://kuza55.blogspot.com/2008/02/exploiting-csrf-protected-xss.html (I even spent a good portion of time explaining it at 24c3)

P.S. Damn Stanford team getting my gadgets 0day patched and not even knowing how to fully exploit it.

P.P.S Cool find though :) (Sorry, let my bitterness get in the way of what I meant to say yet again), I honestly hadn't even considered using an essentially logged-out XSF (Stefano's term) to abuse trust policies, thanks for the info :D

Sweet! I talked about using CSRF to login to someone's gmail acct and pull an attachment at DEFCON 15(Biting the Hand That Feeds You), but I wasn't creative enough to pull off an attack like this! Great job and way to put the peices together!

Rios and I found some stuff similar to this that we talked about at DEFCON 15 (Biting the Hand That Feeds You), but this is a real interesting vector you leveraged there. It's also fairly similar to other content ownership issues that have been discussed, really it's things like this that led to the ideas for the GIFAR stuff.

I think you and I talked about how PDP and I talked about the GIFAR thing and realized we had went slightly different directions with the same thing. I find it real interesting how often people find their ideas intersecting on this stuff. We didn't get time to have our meeting at Vegas, but we should get a handful of minds together and talk about some of this stuff in the future, see what comes out of it.

That said, since you, Kuza, Rios and I have all found similar flaws with this, I couldn't help but point to a rap song that Rios and I wrote back in 1994 that claims our legtimacy to the pwnership of this research... here it goes:

"Listen close as life turns its pages McNasty here kickin rhymes for the ages

See things is changinWise words spoken by sages

From Skytel to Blackberry pagersYour crew dont phase us

We'll make you busters pay usRun up in yo spot like CJ from San Andreas

Rios and I wrote this sploit a long time agoA real long time ago, can ya FEEL ME?We wrote this sploit a long time agoIt was the dopest sploit that we wrote, back in 94"

Ok, I'm just kidding, we didn't write the sploit back in '94. And I didn't write that rap either. It came from Chappelle show... go watch that shit if you haven't seen it, it's hilarious.

I would like to know what/if Apple's Mobile Me mail has CSRF protection.I pay about $100 bucks a year for my email account because I figured it was very secure and I could never lose my account as I use it for my business.

So, does this mean Google gmail is more Secure than Apple's Mobile Me mail?

About Me

Jeremiah Grossman's career spans nearly 20 years and has lived a literal lifetime in computer security to become one of the industry's biggest names. He has received a number of industry awards, been publicly thanked by Microsoft, Mozilla, Google, Facebook, and many others for his security research. Jeremiah has written hundreds of articles and white papers. As an industry veteran, he has been featured in hundreds of media outlets around the world. Jeremiah has been a guest speaker on six continents at hundreds of events including many top universities. All of this was after Jeremiah served as an information security officer at Yahoo!